Abstract: The technology disclosed relates to a DHCP relay-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic that is interposed between a plurality of special-purpose devices on a network segment of a network and a DHCP server on the network segment. The steering logic is configured to intercept DHCP requests broadcasted to the DHCP server by special-purpose devices in the plurality of special-purpose devices, forward the intercepted DHCP requests to the DHCP sever 522, receive, from the DHCP server, DHCP responses to the intercepted DHCP requests, receive, from a device classification logic, a positive determination that the special-purpose devices are special-purpose devices and not general-purpose devices, modify the received DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: The technology disclosed relates to a transparent inline secure forwarder for policy enforcement on IoT devices. In particular, the technology disclosed provides a system. The system comprises a plurality of special-purpose devices on a network segment of a network. The system further comprises a default gateway of the network segment configured to receive outbound network traffic from special-purpose devices in the plurality of special-purpose devices. The system further comprises an inline secure forwarder configured to share an Internet Protocol (IP) address with the default gateway in a transparent mode to intercept the outbound network traffic prior to the default gateway receiving the outbound network traffic, and route the intercepted outbound network traffic to a policy enforcement point for policy enforcement.

Abstract: The technology disclosed relates to a transparent inline secure forwarder for policy enforcement on IoT devices. In particular, the technology disclosed provides a system. The system comprises a plurality of special-purpose devices on a network segment of a network. The system further comprises a default gateway of the network segment configured to receive outbound network traffic from special-purpose devices in the plurality of special-purpose devices. The system further comprises an inline secure forwarder configured to share an Internet Protocol (IP) address with the default gateway in a transparent mode to intercept the outbound network traffic prior to the default gateway receiving the outbound network traffic, and route the intercepted outbound network traffic to a policy enforcement point for policy enforcement.

Abstract: Systems, methods, and related technologies for device classification are described. In certain aspects, traffic data associated with a device and data from an external system can be accessed. The data can be processed to determine a device classification for the device. An action can be initiated based on the classification.

Abstract: The technology disclosed relates to configuring IoT devices for policy enforcement. In particular, the technology disclosed relates to configuring a plurality of special-purpose devices on a network segment of a network to steer outbound network traffic to an inline secure forwarder on the network segment instead of a default gateway on the network segment. The inline secure forwarder is configured to route the outbound network traffic to a policy enforcement point for a policy enforcement.

Abstract: Systems, methods, and related technologies for device identification are described. In certain aspects, packet data associated with a device can be analyzed and a score determined. The score and the threshold can be compared to determine a device identification for the device.

Abstract: Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that detects malicious communication between a command and control (C2) cloud resource on a cloud application and malware on an infected host, using a network security system. The network security system reroutes the cloud traffic to the network security system. The incoming requests of the cloud traffic are directed to a cloud application in the plurality of cloud applications, and wherein the cloud application has a plurality of resources. The network security system analyzes the incoming requests, determines that the incoming requests are targeted at one or more malicious resources in the plurality of resources.

Abstract: Systems, methods, and related technologies for device software monitoring and device software updating are described. In certain aspects, a device is selected based on being a smart device and a software version of associated with the software of the device is determined. The device software may then be automatically updated if newer software is available.

Abstract: Disclosed is a method of building a customized deep learning (DL) stack classifier to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents, including distributing a trained feature map extractor stack, with stored parameters, configured to allow the organization to extract from image-borne organization sensitive documents, feature maps that are used to generate updated DL stacks and to save non invertible feature maps derived from the images, and ground truth labels for the image. Also included is receiving organization-specific examples including the non-invertible feature maps extracted from the organization-sensitive documents and the ground truth labels and using the received organization-specific examples to update a customer-specific DL stack classifier. Further included is sending the customer-specific DL stack classifier to the organization.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that trains a cloud traffic classifier to classify cross-application communications as malicious command and control (C2) traffic or benign cloud traffic. The training uses blocks of malicious Hypertext Transfer Protocol (HTTP) transactions targeted at a plurality of cloud applications by a plurality of clients prequalified as malicious command and control (C2) cloud traffic, and also blocks of benign HTTP transactions targeted at the plurality of cloud applications by the plurality of clients prequalified as benign cloud traffic. A cloud traffic classifier is trained on the cross-application malicious training example set and on the cross-application benign training example set by processing the blocks of the malicious and benign HTTP transactions as inputs, and generating outputs that classify the training examples as respectively malicious C2 cloud traffic or benign cloud traffic.

Abstract: Disclosed is detecting identification documents in image-borne identification documents and protecting against loss of the image-borne identification documents. A trained deep learning (DL) stack is used to classify production images by inference as containing a sensitive image-borne identification document, with the trained stack configured with parameters determined using labelled ground truth data for the identification documents and examples of other image documents. The trained DL stack is configured to include a first set of layers closer to an input layer and a second set of layers further from the input layer, with the first set pre-trained to perform image recognition before exposing the second set of layers of the stack to the labelled ground truth data for the image-borne identification documents and examples of other image documents, and using the inferred classification of the sensitive image-borne identification document in a DLP system to protect against loss by image exfiltration.

Abstract: Systems, methods, and related technologies for device software monitoring and device software updating are described. In certain aspects, a device is selected based on being a smart device and a software version of associated with the software of the device is determined. The device software may then be automatically updated if newer software is available.

Abstract: The technology disclosed relates to distributing a trained master deep learning (DL) stack with stored parameters to a plurality of organizations, to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents. Disclosed is providing organizations with a DL stack update trainer, under the organizations' control, configured to allow the organizations to perform update training to generate updated DL stacks, without the organizations forwarding images of organization-sensitive training examples, and to save non-invertible features derived from the images, ground truth labels for the images, and parameters of the updated DL stacks.

Abstract: The disclosed technology teaches a method for evaluating user compliance with an organization's security policies, formulating a user confidence or risk score, comprising scoring for each user a sum of alert weights, categorized by severity, and generated over time. Each contribution to an alert weight is generated due to an activity by the user that the organization's security policies treat as risky. Alert weights, over time, are subject to a decay factor that attenuates the alert weights as time passes. Also disclosed is reporting the user confidence score, comprising causing display of a time series of the user confidence or risk scores over a predetermined time and/or a current user confidence or risk score and/or at least some details of the activity by the user that contributed to the alert weights over time.

Abstract: The disclosed technology teaches a method of calibrating a user confidence or risk score that expresses evaluation of user behavior that was not compliant with an organization's security policies, including configuring components of the user confidence or risk score, comprising configuring categorical alert weights, categorized by severity, responsive to administrator controls, for alerts to be generated due to an activity by the user that the organization's security policies treat as risky, and configuring a decay factor that attenuates the alert weights as time passes, responsive to an administrator sensitivity control. The disclosed method includes causing display of resulting user behavior evaluation examples, based on activity examples for user examples, comprising causing display of a time series of the user confidence or risk scores for the activity examples for the user examples, and a resulting user confidence or risk score for the user examples.

Abstract: Disclosed is a method of building a customized deep learning (DL) stack classifier to detect organization sensitive data in images, referred to as image-borne organization sensitive documents, and protecting against loss of the image-borne organization sensitive documents, including distributing a trained feature map extractor stack with stored parameters to an organization, under the organization's control, configured to allow the organization to extract from image-borne organization sensitive documents, feature maps that are used to generate updated DL stacks, without the organization forwarding images of organization-sensitive training examples, and to save non invertible feature maps derived from the images, and ground truth labels for the image.

Abstract: Systems, methods, and related technologies for device classification are described. In certain aspects, one or more properties are selected based on associated respective ranks. The selected one or more properties are used with information associated with the device to determine a classification. The classification may then be stored.

Abstract: The disclosed technology teaches a method of reducing false detection of anomalous user behavior on a computer network, including forming groups from identity and access management (IAM) properties and assigning the users into initially assigned groups based on respective IAM properties, and recording individual user behavior in a statistical profile, including application usage frequency. The method also includes dynamically assigning a user with a realigned group, different from the initial assigned group, based on comparing the recorded user behavior, with user behavior in statistical profiles of the users in the groups, evaluating and reporting anomalous events among ongoing behavior of the individual user based on deviations from a statistical profile of the realigned group. The method utilizes common app usage for forming the groups, in some cases.

Abstract: Systems, methods, and related technologies for self-training classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to train the models associated with lower reliability level. The trained models and associated classification methods are thus improved.